Exploring Internet security, crypto and civil liberties.

Main menu

Post navigation

Counterfeit Xiaomi Phone – An Intriguing Deception

I figured I’d use this post to detail a matter that’s still under investigation by eBay regarding a seller located in either Singapore or China (supposedly China, but the package had a Singapore EMS number) kindly providing me with a clearly fake Xiaomi Mi3 cellular phone. What’s interesting about this is not so much the fact that counterfeit or otherwise questionable items come from China – we all know that it’s pretty much a risk inherent in doing any sort of business in Asia, and I certainly wouldn’t have even considered making the purchase were I not assured that eBay or PayPal would have my back should the seller do anything dodgy. No, the real story here is how damn good the fakes have become and why a novice user may not even be able to spot that anything is at all amiss. Certainly from a security perspective there is potential here – who the hell knows what’s buried in their firmware. The organization have clearly demonstrated their lack of ethics by producing a counterfeit device, so what other little secrets is this device hiding? Here’s some information – and I do admit that I am being kind of lazy here and using parts of this report as my eBay complaint detail.

The first clue when unboxing the device was that the back of the chassis did not feel exactly like the coated aluminum/magnesium chassis of the original phone – but this is far too subjective to be useful to a first time buyer. I noticed that the USB cable which shipped with the device had a “MI” logo on it – something which the genuine USB cable does not have. The charger is unquestionably of the same style that lacks adequate shielding and was responsible for electrocuting several users a while back, and has MI branding screenprinted onto it in a manner that the OEM simply wouldn’t tolerate (heck, it wasn’t even printed straight!).

The counterfeit USB cable features “MI” branding while the official one does not.

When booting the phone I noticed that the “Optimizing” screen featured a stock Android jellybean image and not the anime style bunny screen that Xiaomi use for their Mi products (they actually sell these bunnies on their e-store. I can’t see why anyone would love their device so much they have to have a plush logo, but maybe it is cultural). Later I found that the Fastboot and bootloader screens are also missing the Mi branding, something which other users who have discovered fakes and Xiaomi themselves have revealed is a dead giveaway of a clone.

The fastboot is a generic jellybean Android icon whereas the official Mi3 features an anime style bunny.

This is what the fastboot screen is supposed to look like!

The screen is another point of contention. If you take a screenshot and then check the properties of the image generated, you’ll see that it has a resolution of 720×1280. This is a problem seeing that the Mi3 has a resolution of 1080×1920. The screen also lacks the oleophobic Gorilla Glass III that the official phone has.

The resolution of the display is 720×1280 and not the expected 1080×1920.

Very few benchmarking applications will run successfully on the phone and are force-closed, presumably by some kind of watchdog script to ensure that users don’t easily discover the truth of what lies inside their device. In the stock “About” screen everything appears in order. One application that did run successfully, hwinfo provides another clue to the schizophrenic nature of the beast – two mutually exclusive product codes are used in the same screen, “pisces” (the TD-CDMA version for China Telecom) and “cancro” (the Qualcomm based WCDMA international version). It also notes an incorrect physical screen size and states a PPI of 320 dpi (official phone reports and is spec’d at 441). If you place the device on an accurate scale you’ll also find that it is several grams off the official weight, something which can’t easily be explained away (hint: the included battery is much smaller than the quoted 3050mah cell).

Both “pisces” (TD-CDMA) and “cancro” (WCDMA) showing in Hardware Info.

Entering fastboot mode and issuing a “getvar product” to the device reveals its dirty little secret. This device does not contain the Snapdragon 800 MSM8974, rather the Snapdragon S2 era MSM7627A. Geekbench 3, the only benchmarking app I could actually execute successfully on the device reveals in its multi-core test that the device scored a 806, putting it only slightly above the GNex. Other Snapdragon 800 devices scored much, much higher – for example the LG Nexus 5 at 2538 and the Kindle Fire HDX7 at 2730. The single core comparison was even more pathetic, with the device scoring 295 (worse than the Moto G’s Snapdragon 400). It also turns out the reported memory of 2GB is also a downright fabrication, with actual device memory being reported by Geekbench as 843MB – clearly there is only a 1GB module on board.

The processor doesn’t even remotely approach the scores of a genuine Snapdragon 800.

The memory reported by Geekbench does not appear to correlate with the 2GB specified by Xiaomi.

Xiaomi has an app that is designed to test for fakes, but unfortunately it is Chinese. Nevertheless I ran the device, which reported the device was not a confirmed Xiaomi. I also checked the serial number on the website, which was genuine but had been checked many times, indicating that they are simply cloning “official” serial numbers and issuing them to multiple devices. The IMEI reported to the BTS and the IMEI displayed by the software (e.g. by *#06#) are also different, with the displayed one agreeing with the serial on the box. Obviously they knew that they had to ensure that the IMEI looked unique at least to the cellular network provider lest their little scam be immediately detected by a provider.

Xiaomi’s own testing application highlighting in red the device’s benchmark versus the expected score in black.

Xiaomi’s testing tool highlighting hardware discrepancies.

As you’d expect the official Xiaomi firmware will not flash, either using the included updating app or via fastboot. The flashing tool checks the processor model prior to flashing, which obviously returns the incorrect MSM7627A and the flash does not proceed. This is yet another dead giveaway. Another clue is the performance of the phone, which is sluggish at best and lacks sufficient grunt to even decode some audio files in real time without stuttering when multitasking. The barometric pressure sensor provides a constant output of 1013.* mbar with the last digit moving randomly as if the sensor is actually present. Unfortunately this doesn’t even remotely correlate with the area QNH. There is definetely a GPS module present, but fixes take several minutes and are only obtainable and maintained when literally holding the device horizontally in the air.

Perhaps the most disappointing thing about this fake is that the WCDMA module only supports 2100Mhz (official phone supports quad band WCDMA). This makes it useless in our locale except in certain areas where coverage is lacking and my provider uses 2100Mhz mini-cells to enhance coverage in built up areas such as city centers. Everywhere else it unfortunately falls back to GSM, and often cannot even maintain a GPRS or EDGE connection for more than a few brief moments. If you are speaking during handoff to another cell, the phone invariably reboots. It actually seems like it reboots more often than it stays operational. I ensured I was in a 2100mhz serviced area to do these tests, as it was very unstable both without a SIM and on GSM.

Another interesting point is what I found on the embedded flash of the phone – some screenshots in Russian appearing to highlight the same kind of inconsistencies I am speaking of. Evidently the seller attempted to sell the phone to a Russian buyer, who returned the phone after discovering it was a counterfeit and I have been handed his phone (yet another eBay policy violation from the seller, who stated the device was Brand New). An interesting thing the Russian guy noticed and clearly wanted to make evident in one of his captures was the resolution of a captured photo was just 6 megapixel at 16:9 (the phone specs state 13MP).

So, there you have it. Perhaps the worst thing will be waiting for my refund, and perhaps having to pay postage, etc to return this item to the seller. He has already offered me $70 to simply walk away and accept this piece of junk. I don’t think that is going to be happening any time soon.

NB:The only edits made to photography were to redact the cellular network name from the top display of Android in the spirit of this blog never posting personally identifiable information either of my own self or of contributing authors.

Related

7 thoughts on “Counterfeit Xiaomi Phone – An Intriguing Deception”

Nice investigation, hope you get the f*ckers. Been burned twice so far (expect many more, in fact I suspect at least one of my arduino boards but can’t prove it) from cheap crap from China (the prices are so tempting though). Even still, stories I’ve heard from the big electronics towns (Shenzen?) sound cool, get unbelievable amounts of stuff cheap (sometimes good deal, sometimes getting the cheap deal screws you).

Got a full refund finally. They weren’t happy – sent me an email telling me that they were going to “hunt and kill my dishonorable Pandas” according to Google Translate. Lol, according to a Mandrain speaking friend it actually is a colloquialism for children. Lovely people to deal with, clearly. Oh well, I’ll meet them at LAX if they want to take a transcontinential flight to get me! 🙂

absolutely agree! 🙂 I ended up getting a full refund from them, and the most amusing bit was that PayPal reversed the transaction and the guy had to pay for it. It wasn’t one of those “paypal seller protection” type claims. So that gives me some degree of satisfaction. How are you these days anyway Mr. Figureitout? do you have a PGP key? My email is in the key published on the blog if you ever want to chat.

Lol. Me? Oh you know, barely able to get out of the fetal position due to incessant paranoia, doing just dandy! Nah I’m good, always could be better, but got a job I enjoy. Hope you made it out to Cali. No GPG yet, too concerned w/ falsifying my messages and stealing my keys. Will soon though, real name, etc. I’ll email before summer ends.

I trust the world is well with you, and your reasons for not posting here or elsewhere are due to workload and the grind of daily life.

As for email, as you should guess the one I’ve given above for the form is the equivalent of /dev/nul. When I sort out a new “social” account that I can trust as far as being able to say “hello” I’ll drop you a line.

@ Figureitout,

Stop being “curled up” and get out for some fresh air before the summer heat hits… according to the weatherman “hot air from France” will notch it up by 15f or so over the next few days to over 33C, which is just way to toasty for my liking… Oh and when I’ve sorted out social email I’ll have to get it to you and Nick somehow.

Absolutely – I fully intend to get back into the swing of things once things slow down around here. I miss the entertaining discussions we had on Bruce’s forum!

I hope all is well with yourself and family. Don’t be a stranger – when you get that e-mail account sorted, drop me a line. My email address is embedded in the PGP key I posted. I’m sure you can import it, even if you want to email me in cleartext (which of course, for advocacy reasons I always advise against – even if it’s just chit chat adding to the signal:noise for the agencies just to piss them off seems like a noble endeavor) or just query the key servers and grab it off there. I only avoid posting it due to unsolicited email, the volume of which even for the throwaway account I used on the key I’ve used here is overwhelming!